Decode, verify, and generate JSON Web Tokens. Runs entirely in your browser.
Enter the secret used to sign the JWT:
JSON Web Tokens (JWT) are an open standard RFC 7519 for securely transmitting information between parties. This tool runs entirely in your browser — tokens and secrets never leave your machine.
A JSON Web Token (JWT) is a compact, URL-safe token made of three Base64URL-encoded parts: a header, a payload, and a signature. JWTs are the standard way to pass authentication claims between services in OAuth 2.0, OpenID Connect, and API gateway flows.
Paste a token to instantly decode its header and payload. You can verify HMAC (HS256/HS384/HS512) signatures by entering the secret, or generate a brand-new signed token. All processing happens client-side — your tokens never leave the browser.
Check the 'exp' and 'nbf' claims first when a token is rejected — clock skew and expired tokens are the most common issues. Also verify that the 'aud' and 'iss' claims match what your API expects.